Black Hat USA 2010 Summary

Hundreds of security professionals and system administrators attended Black Hat USA 2010 in Las Vegas. Black Hat conferences always attract thought leaders from all facets of the information security world, including corporate and government sectors, as well a large group of researchers. The following are a few highlights of the presentations delivered during the Black Hat USA 2010 briefings.

On Wednesday, July 28, Ben Feinstein, Jeff Jarmoc and Dan King, from SecureWorks, delivered a presentation titled “The Emperor Has No Clothes: Insecurities in Security Infrastructure.” On their presentation, they described several vulnerabilities in Cisco ASA and McAfee’s Network Security Manager console. All the vulnerabilities described in the presentation were responsibly coordinated with Cisco prior to disclosure. Mr. Jarmoc demonstrated a vulnerability in Cisco ASA that could allow an attacker to bypass access control lists (ACLs). This vulnerability was addressed in a Cisco Security Advisory published on April 8, 2009, and it has been fixed in all affected releases. Successful exploitation of this vulnerability may allow an attacker to access resources that should be protected by the Cisco ASA.

Jarmoc also found issues with Cisco’s Adaptive Security Device Manager (ASDM) authentication mechanisms. These limitations could allow an attacker to gain administrator credentials and execute code by leveraging a cross-site request forgery (CSRF) attack. Mr. King demonstrated a cross-site scripting (XSS) attack against the centralized management console of McAfee’s Network Security Manager. XSS is a flaw within web applications that enables malicious users, vulnerable websites, or owners of malicious websites to send malicious code to the browsers of unsuspecting users. The malicious code is usually in the form of a script embedded in the URL of a link or the code may be stored on the vulnerable server or malicious website.

The presentation “Jackpotting Automated Teller Machines” was originally on the schedule at Black Hat USA 2009, but the talk was pulled at the last minute. However, this year Barnaby Jack elaborated on attacks against standalone Automated Teller Machines (ATMs). His presentation was quite informative and, at the same time, entertaining. Barnaby demonstrated how to locally and remotely exploit vulnerabilities by making these ATMs dispense numerous fake dollar bills in front of the audience.

Dan Kaminksi’s presentation “Black Ops Of Fundamental Defense: Web Edition DNS” started with an introduction to the state of DNSSEC and its relevancy to address some of the most fundamental security problems in the Internet. He followed by demonstrating how to deploy a full end-to-end DNSSEC implementation within 2 minutes by using Freebird. Freebird is an extremely fast server built with a little over 400 lines of code. He also introduced the concept of DNS over HTTP. Dan demonstrated how to acquire end-to-end trust via DNSSEC by using Domain Key Infrastructure (DKI).

Craig Heffner delivered a presentation titled “How to Hack Millions of Routers.” Craig’s talk did not disclose any new vulnerabilities in end point devices; however, it demonstrated how to leverage a flaw in modern browsers to attack consumer networking devices via default credentials and known vulnerabilities. The attacks could potentially be mitigated by following the recommendations provided by Cisco Linksys.

Jason Nehrboss demonstrated how someone, should they gain the ability to install arbitrary TCL or EEM scripts, could “trojan the affected device” or leverage a compromised device to perform network packet captures, and how to forward and reverse shell connections. His work is expanding on concepts that have previously been disclosed by several other researchers, such as Felix Lindner (FX) and Christoph Weber, as well as research done by IRM Research.

Sohail Ahmad’s demo called WPA Too! (aka Hole 196) described a deficiency in the Wi-Fi Protected Access 2 (WPA2) protocol. The vulnerability could allow an attacker to steal user’s information by injecting spoofed Group Temporal Key (GTK) encrypted packets. The attacker must already be logged in to the wireless network in order to successfully launch the attack. If successful, an attacker can sniff and decrypt data from other authorized users.

Note: In autonomous APs, Public Secure Packet Forwarding (PSPF) can be used to mitigate this issue. It is used to prevent client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. In Lightweight APs, the feature or the mode that performs a similar function of PSPF is called peer-to-peer blocking mode and is configured in the Wireless Controller.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.